idnits 2.17.1 draft-ietf-dhc-vpn-option-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1.a on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 313. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 290. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 297. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 303. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([7]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 9, 2005) is 7009 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '1' is defined on line 223, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2434 (ref. '6') (Obsoleted by RFC 5226) Summary: 8 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group R. Johnson 2 Internet-Draft J. Kumarasamy 3 Expires: August 10, 2005 K. Kinnear 4 M. Stapp 5 Cisco 6 February 9, 2005 8 Virtual Subnet Selection Option 9 draft-ietf-dhc-vpn-option-04.txt 11 Status of this Memo 13 This document is an Internet-Draft and is subject to all provisions 14 of section 3 of RFC 3667. By submitting this Internet-Draft, each 15 author represents that any applicable patent or other IPR claims of 16 which he or she is aware have been or will be disclosed, and any of 17 which he or she become aware will be disclosed, in accordance with 18 RFC 3668. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as 23 Internet-Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on August 10, 2005. 38 Copyright Notice 40 Copyright (C) The Internet Society (2005). 42 Abstract 44 This memo defines a new DHCP option for passing Virtual Subnet 45 Selection (VSS) information between the DHCP client and the DHCP 46 server. It is intended for use primarily by DHCP proxy clients in 47 situations where VSS information needs to be passed to the DHCP 48 server for proper address allocation to take place. 50 The option number currently in use is 221. This memo documents the 51 current usage of the option in agreement with RFC-3942[7] , which 52 declares that any pre-existing usages of option numbers in the range 53 128 - 223 should be documented and the working group will try to 54 officially assign those numbers to those options. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. VSS Information Definition . . . . . . . . . . . . . . . . . 4 60 3. Security Considerations . . . . . . . . . . . . . . . . . . 6 61 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7 62 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 63 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8 65 Intellectual Property and Copyright Statements . . . . . . . 10 67 1. Introduction 69 There is a growing use of Virtual Private Network (VPN) 70 configurations. The growth comes from many areas; individual client 71 systems needing to appear to be on the home corporate network even 72 when traveling, ISPs providing extranet connectivity for customer 73 companies, etc. In some of these cases there is a need for the DHCP 74 server to know the VPN (hereafter called a "Virtual Subject Selector" 75 or "VSS") from which an address, and other resources, should be 76 allocated. 78 If the allocation is being done through a DHCP relay, then a relay 79 suboption could be included. In some cases, however an IP address is 80 being sought by a DHCP proxy on behalf of a client (would may be 81 assigned the address via a different protocol). In this case, there 82 is a need to include VSS information relating to the client as a DHCP 83 option. 85 A good example might be a dial-in aggregation device where PPP 86 addresses are acquired via DHCP and then given to the remove customer 87 system via IPCP. In a network where such a device is used to 88 aggregate PPP dial-in from multiple companies, each company may be 89 assigned a unique VSS. 91 This memo defines a new DHCP [2] option, the VSS Information option, 92 which allows the DHCP client to specify the VSS Information needed in 93 order to allocate an address. If the receiving DHCP server 94 understands the VSS Information option, this information may be used 95 in conjunction with other information in determining the subnet on 96 which to select an address as well as other information such as DNS 97 server, default router, etc. 99 2. VSS Information Definition 101 The VSS Information option is a DHCP option [3]. The option contains 102 generalized VSS information in one of two formats: NVT ASCII VPN 103 identifier, or RFC2685 VPN-ID [4]. 105 The format of the option is: 107 Code Len Type VSS Information octets 108 +-----+-----+------+-----+-----+-----+--- 109 | 221 | n | t | v1 | v2 | v3 | ... 110 +-----+-----+------+-----+-----+-----+--- 112 Type: 0 NVT ASCII VPN identifier 113 1 RFC2685 VPN-ID 114 2-255 Not Allowed 116 Figure 1 118 The option minimum length (n) is 2. 120 There are two types of identifiers which can be placed in the VSS 121 Information Option. The first type of identifier which can be placed 122 in the VSS Information Option is an NVT ASCII string. It MUST NOT be 123 terminated with a zero byte. 125 The second type of identifier which can be placed in the VSS 126 Information Option is an RFC2685 VPN-ID [4], which is typically 14 127 hex digits in length (though it can be any length as far as the VSS 128 Information Option is concerned). 130 If the type field is set to zero (0), it indicates that all following 131 bytes of the option contain a NVT ASCII string. This string MUST NOT 132 be terminated with a zero byte. 134 If the type field is set to one (1), it indicates that all following 135 bytes should be interpreted in agreement with [4] as a VPN 136 Identifier, typically 14 hex digits. 138 All other values of the type field are invalid as of this memo and 139 VSS options containing any other value than zero (0) or one (1) 140 SHOULD be ignored. 142 Any VSS information contained in a DHCP Relay Suboption SHOULD 143 override the information contained in this VSS Information option 145 Servers configured to support this option MUST return an identical 146 copy of the option to any client that sends it, regardless of whether 147 or not the client requests the option in a parameter request list. 148 Clients using this option MUST discard DHCPOFFER or DHCPACK packets 149 that do not contain this option. 151 This option provides the DHCP server additional information upon 152 which to make a determination of address to be assigned. The DHCP 153 server, if it is configure to support this option, should use this 154 information in addition to other options included in the DHCPDISCOVER 155 packet in order to assign an IP address for DHCP client. 157 In the event that a VSS Informmation Option and a VSS Information 158 Relay Suboption are both received in a particular DHCP client packet, 159 the information from the VSS Information Suboption MUST be used in 160 preference to the information in the VSS Information Option. 162 Servers that do not understand this option will allocate an address 163 using their normal algorithms and will not return this option in the 164 DHCPOFFER or DHCPACK. In this case the client will discard the 165 DHCPOFFER or DHCPACK. Servers that understand this option but are 166 administratively configured to ignore the option MUST ignore the 167 option, use their normal algorithms to allocate an address, and MUST 168 NOT return this option in the DHCPOFFER or DHCPACK. In this case the 169 client will discard the DHCPOFFER or DHCPACK. In other words, this 170 option MUST NOT appear in a DHCPOFFER from a server unless it was 171 used by the server in making the address allocation requested. 173 This option SHOULD NOT be used without also making use of the DHCP 174 Authentication option [5]. 176 3. Security Considerations 178 Message authentication in DHCP for intradomain use where the out-of- 179 band exchange of a shared secret is feasible is defined in [5]. 180 Potential exposures to attack are discussed in section 7 of the DHCP 181 protocol specification in [2]. 183 The VSS Information option could be used by a client in order to 184 obtain an IP address from a VSS other than the one where it should. 185 DHCP relays MAY choose to remove the option before passing on 186 DHCPDISCOVER packets. Another possible defense would be for the DHCP 187 relay to insert a Relay option containing a VSS Information 188 Suboption, which would override the DHCP VSS Information option. 190 This option would allow a client to perform a more complete 191 address-pool exhaustion attack since the client would no longer be 192 restricted to attacking address-pools on just its local subnet. 194 Servers that implement the VSS Information option MUST by default 195 disable use of the feature; it must specifically be enabled through 196 configuration. Moreover, a server SHOULD provide the ability to 197 selectively enable use of the feature under restricted conditions, 198 e.g., by enabling use of the option only from explicitly configured 199 client-ids, enabling its use only by clients on a particular subnet, 200 or restricting the VSSs from which addresses may be requested. 202 4. IANA Considerations 204 No assignment of values for the type field need be made at this time. 205 New values may only be defined by IETF Consensus, as described in 206 [6]. Basically, this means that they are defined by RFCs approved by 207 the IESG. 209 Moreover, any changes or additions to the type byte codes MUST be 210 made concurrently in the type byte codes of the VSS Information 211 Option. The type bytes and data formats of the VSS Information 212 Option and VSS Information Suboption MUST always be identical. 214 5. Acknowledgements 216 This document is the result of work done within Cisco Systems. 217 Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work 218 on this option definition and the other related work for which this 219 is necessary. 221 6 References 223 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 224 Levels", RFC 2119, BCP 14, March 1997. 226 [2] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, 227 March 1997. 229 [3] Droms, R. and S. Alexander, "DHCP Options and BOOTP Vendor 230 Extensions", RFC 2132, March 1997. 232 [4] Fox, B. and B. Gleeson, "Virtual Private Networks Identifier", 233 RFC 2685, September 1999. 235 [5] Droms, R., "Authentication for DHCP Messages", RFC 3118, June 236 2001. 238 [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA 239 Considerations Section in RFCs", RFC 2434, October 1998. 241 [7] Volz, B., "Reclassifying Dynamic Host Configuration Protocol 242 version 4 (DHCPv4) Options", RFC 3942, November 2004. 244 Authors' Addresses 246 Richard A. Johnson 247 Cisco Systems 248 170 W. Tasman Dr. 249 San Jose, CA 95134 250 US 252 Phone: +1 408 526 4000 253 EMail: raj@cisco.com 254 Jay Kumarasamy 255 Cisco Systems 256 170 W. Tasman Dr. 257 San Jose, CA 95134 258 US 260 Phone: +1 408 526 4000 261 EMail: jayk@cisco.com 263 Kim Kinnear 264 Cisco Systems 265 250 Apollo Drive 266 Chelmsford, MA 01824 267 US 269 Phone: +1 978 244 8000 270 EMail: kkinnar@cisco.com 272 Mark Stapp 273 Cisco Systems 274 250 Apollo Drive 275 Chelmsford, MA 01824 276 US 278 Phone: +1 978 244 8000 279 EMail: mjs@cisco.com 281 Intellectual Property Statement 283 The IETF takes no position regarding the validity or scope of any 284 Intellectual Property Rights or other rights that might be claimed to 285 pertain to the implementation or use of the technology described in 286 this document or the extent to which any license under such rights 287 might or might not be available; nor does it represent that it has 288 made any independent effort to identify any such rights. Information 289 on the procedures with respect to rights in RFC documents can be 290 found in BCP 78 and BCP 79. 292 Copies of IPR disclosures made to the IETF Secretariat and any 293 assurances of licenses to be made available, or the result of an 294 attempt made to obtain a general license or permission for the use of 295 such proprietary rights by implementers or users of this 296 specification can be obtained from the IETF on-line IPR repository at 297 http://www.ietf.org/ipr. 299 The IETF invites any interested party to bring to its attention any 300 copyrights, patents or patent applications, or other proprietary 301 rights that may cover technology that may be required to implement 302 this standard. Please address the information to the IETF at 303 ietf-ipr@ietf.org. 305 Disclaimer of Validity 307 This document and the information contained herein are provided on an 308 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 309 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 310 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 311 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 312 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 313 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 315 Copyright Statement 317 Copyright (C) The Internet Society (2005). This document is subject 318 to the rights, licenses and restrictions contained in BCP 78, and 319 except as set forth therein, the authors retain all their rights. 321 Acknowledgment 323 Funding for the RFC Editor function is currently provided by the 324 Internet Society.